AWS Infra Skill for OpenClaw

OpenClaw AWS Infra Skill Overview

The AWS Infra skill connects OpenClaw to Amazon Web Services via the AWS CLI and related tooling. Once installed, your OpenClaw agent can provision resources, manage IAM policies, debug permission issues, and optimize cloud costs — all through plain English commands.

AWS is the world's largest cloud platform, offering over 200 services. Its CLI surface area is enormous, with thousands of subcommands and configuration options. The OpenClaw AWS Infra skill eliminates the need to memorize complex aws commands and JSON policy documents. Instead of navigating the AWS Console or reading lengthy documentation, you describe what you need and the agent handles the rest.

Typical workflow:

1. Ask OpenClaw to check the status of your EC2 instances in us-east-1.
2. The agent runs aws ec2 describe-instances with the appropriate filters.
3. Results are returned in a readable summary with instance IDs, states, and costs — no context-switching required.

This skill covers core AWS services including EC2, S3, Lambda, IAM, VPC, CloudFormation, CloudWatch, RDS, and DynamoDB. It pairs naturally with the Kubernetes skill for teams running EKS clusters and the Docker Essentials skill for container-based deployments.

Prerequisites for AWS Infra Skill

Before installing the AWS Infra skill, make sure you have:

• OpenClaw installed and running (v1.0+)
• AWS CLI v2 installed — installation guide
• An AWS account with IAM credentials configured
• clawhub CLI installed for skill management

Verify your setup:

# Check OpenClaw version
openclaw --version

# Check AWS CLI version
aws --version

# Verify AWS authentication
aws sts get-caller-identity

# List configured profiles
aws configure list-profiles

If aws sts get-caller-identity returns an error, you need to configure credentials. Run aws configure or set environment variables as described in the Configuration section below.

How to Install the AWS Infra Skill

Install the AWS Infra skill with a single command:

npx clawhub@latest install aws-infra

To verify the installation:

clawhub list

You should see aws-infra in the list of installed skills. The skill includes helper scripts for cost analysis, IAM policy debugging, security audits, and resource inventory.

AWS Infra Skill Configuration

The AWS Infra skill relies on your existing AWS CLI configuration for authentication. No additional API keys are needed — if aws commands work on your machine, the skill works too.

Credential Setup

AWS supports multiple authentication methods. Choose the one that fits your workflow:

# Option 1: Configure with access keys (basic setup)
aws configure
# Enter: AWS Access Key ID, Secret Access Key, Default region, Output format

# Option 2: Use environment variables
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1

# Option 3: Use AWS SSO (recommended for organizations)
aws configure sso
aws sso login --profile my-sso-profile

# Option 4: Use IAM roles (recommended for EC2/ECS workloads)
# No configuration needed — the SDK automatically uses the instance role

Profile Management

For multi-account setups, use named profiles to separate environments:

# Configure a profile for staging
aws configure --profile staging

# Configure a profile for production
aws configure --profile production

# Use a specific profile
export AWS_PROFILE=staging

Important: Never use root account credentials. Create dedicated IAM users or roles with least-privilege permissions. Store credentials securely using a secret manager like the 1Password skill or environment variables.

AWS Infra Skill Usage Examples

1. Debug IAM Permission Errors

You: "I'm getting an AccessDenied error when trying to write to the reports S3 bucket. Help me fix the IAM policy."

The agent runs aws iam get-user-policy and aws s3api get-bucket-policy to inspect your current permissions. It identifies the missing s3:PutObject action and suggests an updated policy document with the minimum permissions needed.

2. Provision EC2 Instances

You: "Launch a t3.medium Ubuntu instance in us-west-2 with a 50GB EBS volume and my default security group."

The agent uses aws ec2 run-instances with the correct AMI ID for the latest Ubuntu LTS in us-west-2, attaches the EBS volume, and assigns the security group. It returns the instance ID, public IP, and estimated hourly cost.

3. Analyze and Optimize Costs

You: "Show me my top 5 most expensive AWS services this month and suggest ways to reduce costs."

The agent queries AWS Cost Explorer with aws ce get-cost-and-usage, breaks down spending by service, and identifies optimization opportunities — such as unused EBS volumes, oversized instances, or S3 lifecycle policies that could reduce storage costs.

4. Configure VPC Networking

You: "Create a VPC with public and private subnets across two availability zones, with a NAT gateway for private subnet internet access."

The agent generates and applies the necessary aws ec2 commands to create the VPC, subnets, route tables, internet gateway, and NAT gateway. It returns a summary of all created resources with their IDs and CIDR ranges.

5. Monitor with CloudWatch

You: "Set up a CloudWatch alarm that notifies me when CPU utilization on the API server exceeds 80% for 5 minutes."

The agent creates the alarm using aws cloudwatch put-metric-alarm, configures the evaluation period and threshold, and connects it to an SNS topic for email notifications. It confirms the alarm is active and provides the ARN for reference.

Security & Best Practices

AWS infrastructure operations can have significant impact on your cloud environment and costs. Follow these guidelines to stay safe:

• Use least-privilege IAM policies. Create dedicated IAM users or roles with only the permissions needed for your tasks. The AWS IAM best practices guide covers policy design in detail.
• Never use root credentials. Always use IAM users or roles. Enable MFA on the root account and lock it away.
• Scope by region and account. Use named profiles and environment variables to prevent accidental changes in the wrong account or region.
• Review before applying. OpenClaw prompts for confirmation before resource creation, modification, or deletion. Always review the proposed changes and estimated costs.
• Enable CloudTrail. Configure AWS CloudTrail to log all API calls made through the skill. Review logs regularly.
• Tag all resources. Use consistent tagging for cost tracking and ownership. Ask the agent to add Environment, Project, and Owner tags to every resource it creates.

Troubleshooting Common Errors

"Unable to locate credentials"

The AWS CLI cannot find valid credentials in any of the standard locations.

# Check current credentials
aws sts get-caller-identity

# Reconfigure credentials
aws configure

# Or set environment variables
export AWS_ACCESS_KEY_ID=your_key_id
export AWS_SECRET_ACCESS_KEY=your_secret_key

If using SSO, run aws sso login to refresh your session.

"An error occurred (AccessDenied)"

Your IAM user or role lacks the required permissions for the requested action.

1. Check your current identity: aws sts get-caller-identity
2. Review attached policies: aws iam list-attached-user-policies --user-name your-user
3. Use IAM Policy Simulator to test permissions: visit the IAM Policy Simulator
4. Ask your account administrator to grant the specific permission needed.

"An error occurred (InvalidParameterValue)"

A parameter in your request is incorrect or incompatible with the target region.

1. Verify the resource exists in the specified region: aws ec2 describe-instances --region us-east-1
2. Check that AMI IDs are region-specific — an AMI from us-east-1 won't work in eu-west-1.
3. Validate security group IDs belong to the correct VPC.